DNS impairment redirects thousands of websites to malware

Cybercriminals are exploiting the possibility of DNS impairment to redirects visitors of thousands legitimate websites to compromised domains used to serve malware.

DNS impairment or rather compromising DNS to distribute malicious code, cyber criminals are very attracted by the possibility to use DNS servers to redirect users that trying to visit a legitimate domain are hijacked to a malicious server. DNS servers manage thousand of legitimate domains this means that compromising them the attackers could control an impressive amount of requests directed to them serving malware from any domain that uses the DNS service.

On 5th August 3 Dutch web hosting companies suffered cyber attacks, their name servers were altered by attackers that appear to have accessed an account at the Dutch national domain registrar, SIDN, changing the details of the company’s name servers to malicious servers controlled by criminals.

Three web hosting companies were affected by the DNS server compromise:

Digitalus

VDX

Webstekker

The website of large Dutch online electronics retailer Conrad.nl was reportedly found to be spreading malware, and was taken down immediately after the discovery. In the following image the source code found on the page where visitors where redirected:

According to several news reports, hackers managed to access the DRS (domain registration system) of SIDN, despite DNS records were altered for 5 hours the attackers set the Time to Live value for their malicious DNS entries to 24 hours, in this way any ISP that cached the DNS response for one of the affected domains would redirected users to malicious servers for up to 24 hours after the initial malicious DNS change had been resolved.

The effect of the attack was that each DNS request for the domains managed by the hosting companies were redirected to a web site (IP address 178.33.22.5) showed an ‘under construction’ message that contains a hidden iframe that pointed users’ browsers to an exploit kit hosted at:

This exploit kit is designed to exploit two browser vulnerabilities, the PDF flaw CVE-2010-0188 and an unidentified Java exploit. Once infected the victims the exploits also download another malicious payload disguised as an image file:

hxxp://www.champagnekopen.nl/wp-content/uploads/2013/07/tr2.jpg

A Cisco blog post described the additional content downloaded with the following statements:

“This file is actually an executable (.exe) file that installs a Tor client on the visitor’s machine, then connects over an encrypted channel to the IP address 154.35.32.5 and downloads content. Subsequently, the malware connects to 194.109.206.212, exchanges further content over an encrypted channel before connecting to Tor entrance nodes.”

What is very concerning is that against this category of attack users are helpless, cybercriminals use to compromise websites with high reputation to deceive victims and spread malware, also malicious code used are usually very difficult to detect, the exploits could be based on zero-day vulnerability making impossible their detection.

In the specific case the company could monitor/block Tor traffic on their networks despite is it no easy due the encrypted communications, the detection and the stopping of Tor traffic would block the communication of malicious code with the command and control servers.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.